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(54) Access point device and authentication method thereof 



(57) An access point device and its authentication 
method are provided which can dramatically improve a 
wireless LAN system in security level. The access point 
device includes: authentication request display means 
for notifying a network administrator administering the 
LAN of the presence of an authentication-requesting 
mobile station so as to gain the final authorization of an 



authentication procedure when a mobile station in the 
area perform the authentication procedure before the in- 
itiation of an association procedure; and authentication 
input means from which the network administrator noti- 
fied inputs an authentication-authorizing or -rejecting in- 
struction with respect to the authentication-requesting 
mobile station. 
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f 0 0041 According to 0 „ requ est to the ac- 

s Tobile station issues ^ j-JJ^ ^ added to 
cess point, with a service seuo t re . 



^.S^ 



2 . Description olthe Prior Art 



2. uescnH l,WM Q | 
rnn021 in recent years, the ^^se^t'constnict- 

ing LANs (Local Area ^^? a ) ra dio communication 
£. ,„ view of ^^SsconstructedWrad-o 
technologies, the nee* W LANS greatly 

or so-called wireless ^ ^ FurtUe rrnore. 

due to the inconvemenw , «* cable ^ 

S availability of the ^ LAN e 

nals, typified by notebook PCs ; l « ^ 

also contributes »on,mbe«o^ 

the future. Among ^^ 9 J chis standardized by IEEE 
less LANs islEEEB02.11«h jcs Engineers). Th.s 

institute of ^^pSides definitions from a 
standardized techno^ P , owe r sublayer, or a MAC 

provide a roammg function 

tional function. cons tructed by the wired 

( 00031 Now, when a LAN connection wrth the 
Ethernet or trie like, «^^ 0 ,cabtestoah U bB«» 

the like. This means a very h.gn ^ unaulnor 

a tinklevel.That is,even.f int J e m oro er to connect 

helrterminalstomenetwo^J wnich 1S e x- 
ohysical operation secrecy due to typical LAN 

arrangements (of relative y cases tne 

pabular). The like that constitute 

users and the hubs, routers, a handi , n a 

he L AN are in the same ; ^^entioned opemtion 
Uless LAN system the abov . sreplaced l h 

; connecting Ethernet c ot^ ^ ^ ^ 

scribed existing IEEE-BOM ' * in whl c h mobile 
association procedur is a P ^ by acce ss 

terminals get "**Z*£Z a wired backbone «* 

jesses---"""'""^ 



cewingu'"- ~- - and determine* - 
above-mentioned SS1D, an da „ ce wth a pre 

10 rautriorizetrieasso^^^^ 

deteminedassoctettonautho^ autt , on2ing re- 

tne access point sends J n_ « reiects , it sends 

spor^messagetothemob«eSt« ^therefore, 

rassociation-relecting^ 
thisassociationprocedurebyitse iUn tentfrom 

establishing ""^S and perform the associa- 
SSID In Odette prevent this an P an au . 

Sn procedure as well, the jog °< accordingt o 

the system provided witn in v a , un , ess it 

Ucation P^Itiin Procedure, cannot estat, 
completes the a« thent,c ^° n d P ala communication. Th.s 

25 consequently provides an etiec , ^ als 
authorized association JJ* unauthorized as- 
^heabove^ntionedW^ea 

sociation requiring no P h V s '" a ^ hentic aticn procedure 
0 05] I" procedure 
M L def ined as the Share Key K ^ ^ ref erence to 
Now, thisprocedurew.no 

Fins. 5 and 6. _ wing the general con- 

Son F>9- 5 te a d,a9r ^wirer e ss LAN system. Fig. 
SgSon of a convention* w,eles 
6 Is a diagram showing the _con , dure s. 
35 ^U-^^S^l represents 
raOOTl »n FKJ- =• tne re 'f Access point AP, 3 a mo- 

a WIT4 The access point AP <e transmis- 

shows the sequences for situa xamp , e MT1) 

w te turned on othe^ e ^^h respect to the 
association authentication h 

tionprocessjng 1 ). we 
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ation in accordance with the WEP {Wired Equivalent Pri- 
vacy)-PRNG (Pseudorandom Number Generator) algo- 
rithm by using the Initialization Vector and Secret Key 
values, which can be determined arbitrarily on each ex- 
ecution of this authentication procedure, as the param- s 
eters. The access point AP 2 thereby calculates a 
128-octet uniquely-determined Challenge Text value, 
and sends an authentication response message 1 In- 
cluding this value to the mobile station MT1 . 
[0010] Next, receiving this authentication response 
message 1 at MT authentication processing 9, the mo- 
bile station MT1 ciphers the Challenge Text value includ- 
ed therein, in accordance with the WEP cipher algorithm 
by using the Shared Secret Data and Initialization Vector 
as the parameters. The result and the aforementioned 
Initialization Vector are included into an authentication 
request message 2, which is returned to the access 
point AP 2. 

[0011] Then, receiving this authentication request 
message 2 at AP authentication processing 10 (AP au- 
thentication processing B 2 M ), the access point AP 2 de- 
codes the ciphered Challenge Text value received, 
based on the Initialization Vector received concurrently 
and the aforementioned Shared Secret Data known in 
advance. The resulting value is compared with the orig- 
inal Challenge Text value described above. If identical, 
the authentication is authorized. If not, the authentica- 
tion is rejected. The result of this is returned as an au- 
thentication response message 2 to the mobile station 
MT1. Then, if the result is of authorization, the mobile 
station MT1 receiving this authentication response mes- 
sage 2 can enter the subsequent association procedure. 
In the cases of rejection, the association procedure can- 
not be performed due to the failed authentication. 
[0012] The association processing here is the same 
as described above. More specifically, the access point 
AP 2 receiving the SSID (Service Set Identifier) in the 
association request message from the mobile station 
MT1 identifies the mobile station by that SSID, and de- 
termines whether or not to authorize the association. If 
authorizes, the access point AP 2 sends to the mobile 
station MT1 an association response message for au- 
thorizing the association. If rejects, an association re- 
sponse message for rejecting the association is sent. 
Incidentally, this WEP algorithm is defined by the RC4 
technology from RSA Data Security Inc. 
[001 3] In short, according to this authentication meth- 
od, the access point and the mobile stations are previ- 
ously provided with the same secret key, or Shared Se- 
cret Key, to realize the mechanism for the access point 
to grant authentication/association to particular mobile 
stations. Here, the mobile stations implement the 
Shared Secret Key in a form unreadable to general us- 
ers, so as to avoid a theft (read) by malicious intruders. 
Meanwhile, since the Key itself is not transmitted over 
the radio transmission channels, interception is preclud- 
ed to ensure a certain degree of security level. 
[0014] Such an authentication method for a conven- 



tional access point devic retains security on the as- 
sumption that the algorithms for authentication and the 
keys for the authentication would never be stolen by 
those who try to intrude into the network with evil intent. 
This assumption, however, is not 100% secured. That 
is, there is no guarantee that complete duplications of 
authentic terminals would never be made on the access 
point by authorized procedures. Moreover, there is an 
undeniable possibility that the keys stored in user-inac- 
cessible memories might be read out in an unauthorized 
way by using special equipment. Therefore, if those who 
maliciously try to intrude into the network through such 
unauthorized activities successfully establish unauthor- 
ized association of their terminals, then they can intrude 
into the network while remaining hidden physically in the 
area covered by the access point, without any physical 
operations such as wired cable connection. In other 
words, there has been a problem that when a wireless 
network is constructed within a closed space (office or 
home), the area covered by the central access point is 
susceptible to the association from terminals of those 
who try to intrude into the network with evil intent, which 
lie outside of the closed section, namely, in blind spots 
beyond walls or the like. 

SUMMARY OF THE INVENTION 

[0015] The present invention has been achieved in 
view of such a problem. It is thus an object of the present 
invention to provide an access point device and its au- 
thentication method which can dramatically improve a 
wireless LAN system in security level. 
[0016] An access point device according to the 
present invention is an access point device having an 
interface function with a network constructed of wired 
transmission channels and establishing datalink con- 
nection with a plurality of mobile stations within the area 
of a radio LAN. This access point device includes: noti- 
fication means for notifying a network administrator ad- 
ministering the LAN of the presence of an authentica- 
tion-requesting mobile station so as to gain the final au- 
thorization of an authentication procedure when a mo- 
bile station in the area perform the authentication pro- 
cedure before the initiation of an association procedure; 
and input means from which the network administrator 
notified inputs an authentication-authorizing or -reject- 
ing instruction with respect to the authentication-re- 
questing mobile station. 

[0017] An authentication method for an access point 
device according to the present invention is an authen- 
tication method for an access point device having an in- 
terface function with a network constructed of wired 
transmission channels and establishing datalink con- 
nection with a plurality of mobile stations within the area 
of a radio LAN. This authentication method initiates an 
association procedure after authentication is completed 
of the mobile stations by performing: a first step in which 
the mobile stations and the access point device initiate 
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,o an authentication ■J^jSlp * e ^ 
the access point deyk*. JjJ Authentication of 
cess point device, In autnonzir 9 dure , n0 - 

tmes a network adm^tatoj n procedU re 

tne .inal ^"""f'tl^ait timer before the access 
andstartsanauthent.cat.on^; response mes . 
point device return ; an authem. ationp roce- 
sage, or the final message n J n ticalion wa it timer 
being set atamax.mumwaatm P dmmjslrator 

nation; athird step ^^^9 or -rejecting 
provides a final authent^n & tjmeout 

Ltructiontotheaccessporadev, h ^ 

o, the authenticat.cn w*"^ 8 ,^^ administrator 
theaccesspoint^ev^^^ 

provides a final au *^ C a ^ n entiC ation wait timer, re- 
store the timeout ot the authentic mQ _ 
^stheauthent^ 
bUe stations as au«ahon ^ ^ ^ 

st ep in which the mobfc st*»n proce . 

tication response message 

d" re - u- -4 ctoo the authentication response 

l00 18l in the *'rd step, the a stations as au . 

^ShVa^ 

access point device. authentication re- 

10019] Besides.-^ e ^ P dtothem obilestations 

|„ M1 a M the a.- W «• 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 



BRIEF DESCRIPTION OF THE DRAWINGS 



[00211 



fcK=555s== 

authorizes authenticate sequence 

Fig . 3 is a ^^Srt orsnuations where 
oltheauthenteWocedur mbodime nt 

thenticauon P rocess '"^ o ; t . 



l00221 H^.r«-s£S^S; 

„ «sspWdevk*an^ in detaH 

, ng to the present ,nve ^°" anving drawings. 
Z reference to the a^mpa nymg con . 

i° 0231 ^1*^5^ accordin9 10 the 

. S^?^P— S?S -hepresentem- 
[00241 The access point device Af) 2 

Kent is installed in piece ^ cally P (n Fig . 5 
in Fi9 . 5 describe f ^^etworK 1 includes 
described above, t^ jNiretess neW0(te 
,0 the access point ^conn^^ ^ 

Trealizedby^nsm^l^ nd ^ ing definite 

bile stations M J 1 '^ p " , n the wireless area network 
area covered by the AP2 2 In ^ ^ access 

1, the access point AP 2 ® . 
2S point device 18 shown * ^ device ,8 includes 
100251 In Fig. 1 , the access p an aptenna 

Socommunicationpro^ 
19 , network interface means 1 u ■ reques t d.s- 

atlon processing means 13, auin thent ication 
Vut^ans15(inputmeans)soast MT1, 
connection with the j-J-W - £ Mrm , un ication 
MT2, MT3, and ^ 4 o ' of a radio modulation and 
processing means «"SS5 signat processing unit 
35 demodulation unit abaseban 9 ^ (s jntend d 
and a datalink control unit The fe ^ d 

for radio transmission an ^ mean s 12. The 
to the radio communication , pro fc connec 

network interface an arbitral wired 

transmission channel 17, arm ^ receivedby the 
terfacingthedata obetransmm ^ The 

radio communicat.en P^Jno "* ans 13 ' C f 
thentication/assocate P^s 9 and authen . 

« the function of performmg the as ^ unfcat .on 
tication procedures r the ^ wiln the 

processing means 2 1° astab teatton/ assocla- 
piuraltty of mobile stat.0ns 3 ^e au i ze ^ ^ rf 

, i0 n processing means 1 3 als ^ ^ com . 

so communicating con trol n^saj trolrn essages 
municationprocesslngmeans^ ^ 

,0 be exchanged with the _moc ( disp)ay 

™ and HTJ ^JE^i*-^ 
m eans 16 provide n 0 ^"^ , he authentication/ 
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station to be authorized of authentication. The authen- 
Sorest dsp.ay means 16 i thereby ,ea,« he 

. is realize the function of accepting button or 

SLm. Processing means «J*J££ 
nnt the user who administers the wireless area netwonx 
Cnts Slzatlon or rejection after the presence o 
h 9 e authentication-requesting mobi.e station is notified 
by ,he authentication request dtsplay mean 16_ 
l00 261 Hereinafter, the operations of he authentic^ 
L method for the access point dev.ce configured as 
HMcribed above will be described. 
Si Hot description will be given of the sequenc 
Sthe Se There a mobile station Is turned on or 

The case where the authentications rejected. 
Zm Assume here that the mobile station MT1 m 

SSf initially, referring to Figs. 2 and 4, description 

with the access point device 18. 
(00301 Fig 2 is a diagram showing the control se 
SSL of L authentication procedure in the case of 
authorized authentication. 

Srinthe access point device 18. the ***** 

sage through the radio eomnunwjoni process jg 
Z.. 12 At A P authentication processing 1 (see tne 
TJ ?o n Fid 2) the authentication/association 

processing med Equivalent Privacy)- 

nation/association processing means 1 thereby » 
tain a 128-octet uniquely-determined Challenge w 

including this value to the mobi.e s.at.on MTi trough 
the radio communication process.ng means 12. 



I0 0331 Next, at MT authentication process.ng 2 , the 
S station MT1 receiving this authentication re- 
r D ^nS!ge1cl P hersthe.ncludedCha.lengeText 

P a ue n Sance with the WEP cipher a.gorithm by 
5 using he Shared Secret Data and Initialization Vector 
as the parameters. The resulting value and the Init.al.- 
rlnVeTareincludedintoanauthentfcationrequest 

SS which is retumedtothe access po.ntdev.ee 

Sne original Challenge Text value stated before, and 
orocessing 3 (see the numeral 23 in Fig. 2). srep 

hi authentication/association process.ng means 13 

0036] ner , notinca tion from the authen- 

ing means 13, il receive , a n ion . au t nonzi ng 

this message ,h ° u f h J^^ociaUon process- 
processing means 12. Then, at he ass 
55 ing (see the numeral 24 in Fig. 2), ne 
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or no. to authorize the association in accordance w* i a 
predetermined association authorization rule. II author- 
ize, the authentication/association processing i means 
13 send an association response 
cates the authorized association to the mob>le station 
MT1 through the radio communication process.ng 
means 12 Reception of this association response mes- 
sage by the mobile station MT1 establishes the datahnk 
behveen the mobile station MT1 and the access ; point 
device 18. allowing data communication thereafter. 
; 00 39] Next, referring to Figs. 3 and 4. description wrt 
be gh/en of the case where authentication is rejected of 
the mobile terminal MTT1 by the n^ork-adrntnistenng 
user in the authentication procedure, and the case 
where the authentication wait timer goes time-out to re- 
ject the authentication automatically. 
0040] Fig. 3 is a diagram showing the control se- 
quence of the authentication procedure for rejected au- 

SSTtSS- -bile station MT1 * turned on 

^authentication request message 1 for .nrtiaWhe 
authentication procedure by the Shared Key Authenti- 

iontesociation processing means 13 received ^mes- 
sage through the radio communication processing 
means 1 2. Then, at the AP authenticate processing 1 
J£ the numeral 25 in Fig. 3). the authentication/asso- 
Lon processing means 13 performs a numerical op- 
erS in accordance with the WEP (Wired Equivalent 
PrivacvVPBNG (Pseudorandom Number Generator) + 

values, which can be arbitrarily determined upon each 
execution of this authentication procedure, as the pa- 
rameters. The authentication/association processing 
means 13 thereby calculate a 128-octet uniquely-deter- 
S riha..enge y Text value, and send the authenttea- 
,ion response message 1 including this value to the mo- 
Se station MT1 through the radio communication 
orocessing means 12. 

m 0 43] Then, at the MT authentication processing 
see the numeral 26 in Fig. 3), the mobile station MT1 
receives this authentication response message 1 and 
ciphers the Challenge Text value included theremjnac^ 

cordance with the WEP cipher algonthm, with the 
Shared Secret Data and Initialization Vector as the pa- 
ram ers. The resulting value and the Inmallzahon 
[orareincludedintoanauthentication request message 
2, which is returned to the access point device m Be- 
sides in the access point device 18, the authentication/ 

At the AP authentication processing 2 (see the numeral 
27 in Fiq 3). the authentication/association process.ng 
means 13decodelhe ciphered Challenge Text value re- 
ceived, based on the Initialization Vector receive I con- 
curren ly and the Shared Secret Data known .n ad- 



vance The result is compared with the original Chal- 
lenge Text value stated before, and if identical, the au- 
thentication/association processing means 13 execute 
the orocedure of the AP authentication process.ng 3 
5 (see the numeral 28 in Fig. 3). This procedure is shown 
as the steps S30-S32, and S34 of the flow in F.g. 4. 
[00441 In this procedure, the authentteation/associa- 
ion p ocessing means 13 in the access point device , M 
initially notify the authentication request display means 
,o 16 of an alentteation wait (step S30). At the same 
time, the authentication/association process.ng means 
13 s art the authentication wait timer set at an arbitrary 
time (step S31), entering a wait for authentication input 
rp32)Meanwhlle,theauthentication request display 
<s means 16 informed of the authentication wart ^.mmed, 
atelv notify the network-administering user of the ores- 
enVe of an authentteation-requesting mobile station, 
through a display device, a loudspeaker, or the like. 
100451 Here, the authentication/association process- 
20 ng means 13, if receive a notification from the aumen 
ticationlnputmeans 15of an authentication-rejecting in- 
put made by the network-administering user inputting 
an authentication rejection before the timeout of the au- 

25 message 2 that indicates the authentication rejection to 
The mob^ station MT1 through the radio conHnumca- 
Jon processing means 12 (step S34). Similarly, when 
he authentication wait timer goes time-out during he 
authentication input wait (step S32), the authentic* ion/ 
30 action processing means 13 send the authent.ca- 
nT sponse message 2 that indtea.es the authenrica- 
Ln reiectiontothemobilestationMTIthroughthe radio 
communication processing means 12 (s ep 34^ 
[0046] Returning to Fig. 3, the mobile station MT1 
35 having received this authentication response message 
2 the subsequent association procedure 

since the result is of rejection. If necessaiy, the mobile 
station MT1 notifies its user of the failed authentteation 
See the numeral 29 in Fig. 3). Thus, in this case the 
„ mobilestationMTI is incapable of data communicator. 
roo471 incidentally, the WEP algorithm ^mentwned 
here is defined in the RC4 technology by RSADateSe- 
curity inc. Besides, the association processing see Ihe 
numeral 24 in Fig. 2) Is Identical to the association pro- 
« cedure defined in IEEE 802.11. 

100481 Moreover, the arbitrary time set the authent. 
EwaU timer is set at can be arbitrarily determined 
byhenlork^ 

Z intermsof the time that is required from the nework 
administering user recognizing the presence . of an au 
thentication-requesting mobile station through the au 
hen cation request display means to the user inputting 

to authorize the mobile station. 
55 00491 As has been described above, in the present 

Lodiment, the access point devtee 18 inc ude i» 
authentication request display means 16 i an th au 
thentication input means 15. When a mobile station in 
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the initiation ot the aMOMWn proc on of 

cation request displa, jm an lejjj^ ^ ^ area 
the authenticat.on-request.ng m ^ final au . 5 

so thatthe access po.ntd^ 8 re ^ ^ 

tnorization of the ^ administrator no- 

LAN-administenng u ^ c e at ^ W aulh0 nzing or -reject- 
tned provides an au then ^ at f on . reques ting mobile 
ing instruction to ^ » 

^•^^SSSIS^ °< a mobi,e 

pre -association Jj^^^jv 
station on a wireless LAN sys 

truderswithevOmtenUheaco s P h0 , smaking the « 

automatic authorizat-onbyheacce^P 

. sign«icant **^££Sm system that im- 
100501 Moreo ^; e n / K ^ Authentication procedures » 
plements the Shared Key this authentication 

defined as an option* E^ ^ wrtn the additional 
procedure can be put. ntoop ^ ^ No 
implementation ot the acces p ^. ces 
modification is detail , according to « 

100511 As has been descnbe can be 
the present invent.on a^»» ^ mobile sta . 

30 

tions. 



Claims 



dio LAN, the device comprising. 

nation 40 

ence of an a 7 e ; nth9 final authorization of 
station so as to ga.n^ n h amob Uesta- 

r^SSalotanassociaUon 

vice having an interface iun eteam jes- * 
tabl^n9<WBllnkc«^onw«i P ^ ^ 



lrfoH o{ said mobile stations by 
thentication is completed of saw m 

performing: 

Sa ' d fTjSo^ ocedure in response to 

tions to said access -V^T^ poi nt de- 
aS6Wnd Sr:truSeS«o P no.sa W 
vice, in authorizing V» tication pr0 ce- 
m0 bile stations ^^^atoradminis- 
dure, notifies a network a™™ 5 said 
teringsaidUNofmeflnala^o^at. 

autoentica^ 

tication wait timer betore s mes . 
" vice returns an f^^^M- 

wait time up to the una adminis trator 

wait timer; hirh said access point device, 
a fourth step in whteh sa« acc J a „. 
when said network admin J M ° P be . 
nalauthentication-a^ng^ ^ 
forethetirr^utofsa^^t.c ^ 

-SdtSlS^asalent^ 

authorization; and receiv . 

said association procedure. 



Theauthent^^^^ 

vice according to dan 2, " ne e „ returned 

said authentication response me g jon 

,o said mobile ttabonj. » authe ^ ^ 

when said network admimsU^ P access 
thentication-rejecting instruction 
point device. 

said access point device. 

vice according to «£^7£ shared Key 

said «*h-«-»2^5^ in IEEE 802.11 . 
Authentication procedure flenn 
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FIG.2 
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FIG.3 
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